Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Is it possible to scan an app that uses the Microsoft b2clogin.com IdP?

Russell | Last updated: Sep 06, 2022 12:48AM UTC

I'm trying to scan an application that uses b2clogin.com (Azure Active Directory B2C, formerly login.microsoftonline.com) for handling user auth but an unable to get it working. Is this possible? AIUI using the login recorder is the recommended way to handle IdPs that are external from the application, but this isn't working for me. I believe the b2clogin.com flow meets all the requirements at https://portswigger.net/burp/documentation/desktop/scanning/recorded-logins#limitations-for-recorded-login-sequences. When I test login playback: * the initial url (the application under test) is loaded and 302s to b2clogin.com * email address and password are successfully entered * "sign in" button is successfully clicked * rather than returning to the app under test, the b2clogin.com page redirects back to itself with email field prefilled and password field empty, and that's the end of the script I've also tried the plain login credentials (username/password) scan login type, but it looks like this requires the IdP be included in scan scope in order to actually get to the login pages and then the scanner wades into the tarpit of testing Microsoft's public IdP which is not what I'm interested in doing. I'm using Burp pro 2022.8.4

Russell | Last updated: Sep 06, 2022 09:46AM UTC

I can't share the specific application I'm trying to scan, but https://theiet.org/my is an open-registration service that uses b2clogin.com and shows the same behaviour.

Hannah, PortSwigger Agent | Last updated: Sep 06, 2022 10:37AM UTC

Hi Could you drop us an email at support@portswigger.net with a screen recording of you recording your login sequence and then replaying it, so we can see the intended behavior and the recorder's actual behavior?

Doctorprinz | Last updated: Sep 14, 2022 08:53AM UTC

same here, do you have any solution yet?

Hannah, PortSwigger Agent | Last updated: Sep 14, 2022 09:03AM UTC

We're not sure why this issue occurs. However, we managed to resolve this issue by duplicating the recorded login script from the point after the email address was entered. This meant that the login replayer resubmitted the login page with the correct password details. Feel free to drop us an email at support@portswigger.net if you require any further assistance with this.

Doctorprinz | Last updated: Sep 14, 2022 09:35AM UTC